NIST SP 800-53 Rev 5 LOW

United States

20 domains

173 controls

NIST SP 800-53 Rev 5 LOW baseline. Federal Information Security Management Act controls for systems at LOW impact level.

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (20)

AC Access Control

11 controls

Controls in the AC Access Control domain of NIST SP 800-53 Rev 5 LOW — 11 controls
Code	Title	Description
AC-1	Policy and Procedures	Develop and disseminate access control policy and procedures; review at least annually (FedRAMP parameter); update follo...
AC-14	Permitted Actions Without Identification or Authentication	Identify and document actions allowed without identification or authentication.
AC-17	Remote Access	Establish usage restrictions, configuration requirements, and authorize remote access prior to allowing.
AC-18	Wireless Access	Establish configuration requirements, usage restrictions, authorize wireless access.
AC-19	Access Control for Mobile Devices	Establish configuration requirements and usage restrictions for mobile devices.
AC-2	Account Management	Manage accounts; review at least monthly for privileged, every six months for non-privileged (FedRAMP); notify within Fe...
AC-20	Use of External Systems	Establish terms and conditions for use of external systems; prohibit unless authorized.
AC-22	Publicly Accessible Content	Designate users authorized to post; train them; review content quarterly for nonpublic information.
AC-3	Access Enforcement	Enforce approved authorizations for logical access in accordance with policy.
AC-7	Unsuccessful Logon Attempts	Enforce limit of 3 consecutive invalid logon attempts within 15 minutes (FedRAMP); lock for 30 min or until released.
AC-8	System Use Notification	Display approved system use notification/banner before granting access; FedRAMP requires specific language.

AT Awareness and Training

5 controls

Controls in the AT Awareness and Training domain of NIST SP 800-53 Rev 5 LOW — 5 controls
Code	Title	Description
AT-1	Policy and Procedures	Develop, disseminate, and review awareness and training policy and procedures at least annually.
AT-2	Literacy Training and Awareness	Provide security awareness training within FedRAMP-defined timeframe of onboarding, on system change, and at least annua...
AT-2(2)	Insider Threat	Include insider threat recognition and reporting in awareness training.
AT-3	Role-Based Training	Provide role-based security training to personnel with significant security responsibilities before authorizing access a...
AT-4	Training Records	Document and monitor security training; retain records for FedRAMP-defined period (5 years).

AU Audit and Accountability

10 controls

Controls in the AU Audit and Accountability domain of NIST SP 800-53 Rev 5 LOW — 10 controls
Code	Title	Description
AU-1	Policy and Procedures	Develop and review audit/accountability policy annually.
AU-11	Audit Record Retention	Retain audit records for at least one year (FedRAMP minimum) with 90 days immediately accessible online.
AU-12	Audit Record Generation	Provide audit record generation capability on all system components specified in AU-2.
AU-2	Event Logging	Identify event types selected for logging including FedRAMP minimum list; review and update at least annually.
AU-3	Content of Audit Records	Audit records must contain: type, when, where, source, outcome, identity associated.
AU-4	Audit Log Storage Capacity	Allocate audit log storage capacity to accommodate FedRAMP-defined retention period.
AU-5	Response to Audit Logging Process Failures	Alert defined personnel on audit failure within FedRAMP timeframe; take defined action (overwrite oldest, shutdown, stop...
AU-6	Audit Record Review, Analysis, and Reporting	Review and analyze audit records at least weekly (FedRAMP); report findings to defined personnel.
AU-8	Time Stamps	Use internal system clocks; record timestamps with FedRAMP-defined granularity (1 second), UTC or known offset.
AU-9	Protection of Audit Information	Protect audit information and tools from unauthorized access, modification, deletion.

CA Assessment, Authorization, and Monitoring

8 controls

Controls in the CA Assessment, Authorization, and Monitoring domain of NIST SP 800-53 Rev 5 LOW — 8 controls
Code	Title	Description
CA-1	Policy and Procedures	Develop and review assessment/authorization policy at least annually.
CA-2	Control Assessments	Assess controls annually (FedRAMP); third-party assessor (3PAO) required; produce SAR.
CA-3	Information Exchange	Approve and manage exchange of information with external systems using ISA, MOU, contract; review annually.
CA-5	Plan of Action and Milestones	Develop POAM; update at least monthly (FedRAMP); track remediation timelines (HIGH 30 days, MOD 90).
CA-6	Authorization	Senior official authorizes system; reauthorize every three years or upon significant change.
CA-7	Continuous Monitoring	Establish continuous monitoring strategy with FedRAMP-defined metrics, monitoring frequencies, ongoing assessments.
CA-7(4)	Risk Monitoring	Ensure risk monitoring is an integral part of the continuous monitoring strategy and includes effectiveness, compliance,...
CA-9	Internal System Connections	Authorize internal connections of components to system; document interface characteristics.

CM Configuration Management

9 controls

Controls in the CM Configuration Management domain of NIST SP 800-53 Rev 5 LOW — 9 controls
Code	Title	Description
CM-1	Policy and Procedures	Develop and review configuration management policy annually.
CM-10	Software Usage Restrictions	Use software in accordance with contracts and copyright laws; track licenses; document peer-to-peer file sharing control...
CM-11	User-Installed Software	Establish policies governing installation of software by users; enforce; monitor compliance.
CM-2	Baseline Configuration	Develop and maintain baseline configurations; review and update annually (FedRAMP) and when required.
CM-4	Impact Analyses	Analyze changes to determine potential security/privacy impacts.
CM-5	Access Restrictions for Change	Define, document, approve, enforce physical and logical access restrictions for changes.
CM-6	Configuration Settings	Establish/document configuration settings using checklists; CIS/USGCB/DISA STIG when available; HIGH baseline.
CM-7	Least Functionality	Configure system to provide only essential capabilities; prohibit unnecessary functions, services, ports, protocols.
CM-8	System Component Inventory	Develop and document inventory of system components; review and update at least monthly (FedRAMP).

CP Contingency Planning

6 controls

Controls in the CP Contingency Planning domain of NIST SP 800-53 Rev 5 LOW — 6 controls
Code	Title	Description
CP-1	Policy and Procedures	Develop and review contingency planning policy at least annually.
CP-10	System Recovery and Reconstitution	Provide for recovery and reconstitution of system to known state within RTO.
CP-2	Contingency Plan	Develop contingency plan; review and update annually (FedRAMP); coordinate with related plans.
CP-3	Contingency Training	Provide contingency training to users assigned roles; within FedRAMP timeframe of role assignment and at least annually.
CP-4	Contingency Plan Testing	Test contingency plan at least annually (FedRAMP) using FedRAMP-defined tests; review test results.
CP-9	System Backup	Conduct backups of user-level, system-level, and security-related documentation; FedRAMP-defined frequency (daily increm...

IA Identification and Authentication

8 controls

Controls in the IA Identification and Authentication domain of NIST SP 800-53 Rev 5 LOW — 8 controls
Code	Title	Description
IA-1	Policy and Procedures	Develop and review identification and authentication policy at least annually.
IA-11	Re-Authentication	Require re-authentication when FedRAMP-defined circumstances occur (role change, privilege change, time period elapsed).
IA-2	Identification and Authentication (Organizational Users)	Uniquely identify and authenticate organizational users and associate identity with processes acting on behalf of users.
IA-4	Identifier Management	Manage identifiers; uniquely identify; prevent reuse for FedRAMP-defined period.
IA-5	Authenticator Management	Manage authenticators; verify identity prior to issuing; establish initial content; protect.
IA-6	Authentication Feedback	Obscure authentication feedback during authentication process.
IA-7	Cryptographic Module Authentication	Implement authentication to cryptographic modules meeting FIPS 140 (FedRAMP requires FIPS-validated).
IA-8	Identification and Authentication (Non-Organizational Users)	Uniquely identify and authenticate non-organizational users (e.g., federal customers).

IR Incident Response

7 controls

Controls in the IR Incident Response domain of NIST SP 800-53 Rev 5 LOW — 7 controls
Code	Title	Description
IR-1	Event Detection and Triage	Detect, triage and declare cyber events using documented criteria and severity levels.
IR-2	Incident Response and Recovery	Respond to, contain and recover from cyber incidents affecting IT and OT functions.
IR-4	Incident Handling	Implement IR capability for preparation, detection/analysis, containment, eradication, recovery.
IR-5	Incident Monitoring	Track and document incidents.
IR-6	Incident Reporting	Require personnel to report incidents to organizational authorities within FedRAMP timeframe; report to FedRAMP PMO and...
IR-7	Incident Response Assistance	Provide IR support resource (help desk, support group) for incident handling assistance.
IR-8	Incident Response Plan	Develop and implement IRP; review and update annually; distribute.

MA Maintenance

4 controls

Controls in the MA Maintenance domain of NIST SP 800-53 Rev 5 LOW — 4 controls
Code	Title	Description
MA-1	Policy and Procedures	Develop and review maintenance policy at least annually.
MA-2	Controlled Maintenance	Schedule, document, review records of maintenance, repair, replacement of components.
MA-4	Nonlocal Maintenance	Approve and monitor nonlocal maintenance activities; use strong authentication.
MA-5	Maintenance Personnel	Establish process for authorizing maintenance personnel; maintain list of authorized personnel; supervise unauthorized.

MP Media Protection

4 controls

Controls in the MP Media Protection domain of NIST SP 800-53 Rev 5 LOW — 4 controls
Code	Title	Description
MP-1	Policy and Procedures	Develop and review media protection policy at least annually.
MP-2	Media Access	Restrict access to FedRAMP-defined types of digital and non-digital media to authorized personnel.
MP-6	Media Sanitization	Sanitize media prior to disposal, release, or reuse using FedRAMP-defined methods (NIST SP 800-88).
MP-7	Media Use	Restrict or prohibit use of FedRAMP-defined types of media on FedRAMP-defined systems using safeguards.

PE Physical and Environmental Protection

10 controls

Controls in the PE Physical and Environmental Protection domain of NIST SP 800-53 Rev 5 LOW — 10 controls
Code	Title	Description
PE-1	Policy and Procedures	Develop and review physical/environmental policy at least annually.
PE-12	Emergency Lighting	Employ and maintain automatic emergency lighting activating on power outage covering emergency exits.
PE-13	Fire Protection	Employ and maintain fire suppression and detection devices independent of energy source.
PE-14	Environmental Controls	Maintain temperature and humidity within FedRAMP-defined acceptable levels; monitor at FedRAMP frequency.
PE-15	Water Damage Protection	Protect system from damage from water leakage by providing master shutoff valves accessible to key personnel.
PE-16	Delivery and Removal	Authorize and control system components entering/exiting facility; maintain records.
PE-2	Physical Access Authorizations	Develop, approve, maintain list of individuals with authorized facility access; review at least quarterly (FedRAMP).
PE-3	Physical Access Control	Enforce physical access at entry/exit points; verify authorizations; control ingress/egress; maintain audit logs.
PE-6	Monitoring Physical Access	Monitor physical access to facility; review access logs at least weekly (FedRAMP); coordinate review with IR.
PE-8	Visitor Access Records	Maintain visitor access records for FedRAMP-defined period (1 year); review records monthly (FedRAMP).

PL Planning

5 controls

Controls in the PL Planning domain of NIST SP 800-53 Rev 5 LOW — 5 controls
Code	Title	Description
PL-1	Policy and Procedures	Develop and review planning policy at least annually.
PL-10	Baseline Selection	Select FedRAMP High baseline; tailor in accordance with risk assessment.
PL-11	Baseline Tailoring	Tailor selected control baseline; document tailoring actions; review and update annually.
PL-2	System Security and Privacy Plans	Develop SSP that aligns with FedRAMP template; review and update annually.
PL-4	Rules of Behavior	Establish and provide rules describing user responsibilities; receive signed acknowledgement.

PM Program Management

32 controls

Controls in the PM Program Management domain of NIST SP 800-53 Rev 5 LOW — 32 controls
Code	Title	Description
PM-1	Information Security Program Plan	Develop and disseminate an organization-wide information security program plan. Review, update, and protect from unautho...
PM-10	Authorization Process	Manage the security and privacy state of systems through assessment and authorization processes.
PM-11	Mission and Business Process Definition	Define mission and business processes with consideration for information security and privacy.
PM-12	Insider Threat Program	Implement an insider threat program including cross-functional teams and information sharing.
PM-13	Security and Privacy Workforce	Establish a security and privacy workforce development and improvement program.
PM-14	Testing, Training, and Monitoring	Plan, implement and maintain processes for testing, training and monitoring across the program.
PM-15	Security and Privacy Groups and Associations	Establish and institutionalize contact with selected groups and associations.
PM-16	Threat Awareness Program	Implement a threat awareness program with cross-organization information-sharing capability.
PM-17	Protecting CUI on External Systems	Establish policy and procedures to ensure CUI is protected on external systems.
PM-18	Privacy Program Plan	Develop and disseminate an organization-wide privacy program plan that includes program objectives, structure, roles, an...
PM-19	Privacy Program Leadership Role	Appoint a senior agency official for privacy with the mission and resources to manage privacy.
PM-2	Information Security Program Leadership Role	Appoint a senior agency information security officer with mission, resources, authority to manage the program.
PM-20	Dissemination of Privacy Program Information	Maintain a central resource webpage on the organization's principal public website that serves as a central source of in...
PM-21	Accounting of Disclosures	Develop and maintain an accurate accounting of disclosures of personally identifiable information.
PM-22	Personally Identifiable Information Quality Management	Develop and document policies and procedures for ensuring PII quality.
PM-23	Data Governance Body	Establish a data governance body consisting of defined roles with defined responsibilities.
PM-24	Data Integrity Board	Establish a data integrity board to oversee data sharing and matching agreements.
PM-25	Minimization of PII Used in Testing, Training, and Research	Develop, document, and implement policies and procedures that address the use of PII for internal testing, training, and...
PM-26	Complaint Management	Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organi...
PM-27	Privacy Reporting	Develop and disseminate privacy reports to oversight bodies and other constituents at defined frequency.
PM-28	Risk Framing	Identify and document assumptions, constraints, priorities and trade-offs that affect risk decisions.
PM-29	Risk Management Program Leadership Roles	Appoint a senior accountable official for risk management and establish a risk executive function.
PM-3	Information Security and Privacy Resources	Include resources needed to implement the security and privacy programs and document exceptions to funding.
PM-30	Supply Chain Risk Management Strategy	Develop an organization-wide strategy for managing supply chain risks.
PM-31	Continuous Monitoring Strategy	Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs.
PM-32	Purposing	Analyze defined systems or system components, including hardware and software, to determine their intended purpose, and...
PM-4	Plan of Action and Milestones Process	Implement a process to ensure POA&Ms for the security and privacy programs and associated systems are developed and main...
PM-5	System Inventory	Develop and update an inventory of organizational systems.
PM-6	Measures of Performance	Develop, monitor, and report on the results of information security and privacy measures of performance.
PM-7	Enterprise Architecture	Develop an enterprise architecture integrating security and privacy considerations.
PM-8	Critical Infrastructure Plan	Address information security and privacy issues in the development of a critical infrastructure and key resources protec...
PM-9	Risk Management Strategy	Develop a comprehensive strategy to manage risk including threat, vulnerability, impact, likelihood and risk tolerance.

PS Personnel Security

9 controls

Controls in the PS Personnel Security domain of NIST SP 800-53 Rev 5 LOW — 9 controls
Code	Title	Description
PS-1	Policy and Procedures	Develop and review personnel security policy at least annually.
PS-2	Position Risk Designation	Assign risk designation to positions; review and update at least every three years.
PS-3	Personnel Screening	Screen individuals prior to authorizing access; rescreen at FedRAMP frequency per position risk; US citizenship may appl...
PS-4	Personnel Termination	Disable access and revoke authenticators within FedRAMP-defined time (same day); conduct exit interview; retrieve proper...
PS-5	Personnel Transfer	Review/confirm ongoing operational need for access when personnel transfer; modify access; notify within FedRAMP timefra...
PS-6	Access Agreements	Develop access agreements; review and update annually; require signature before access.
PS-7	External Personnel Security	Establish personnel security requirements for external providers; require providers to notify within FedRAMP timeframe o...
PS-8	Personnel Sanctions	Employ formal sanctions for personnel failing to comply with security/privacy policies; notify defined personnel within...
PS-9	Position Descriptions	Incorporate security/privacy roles and responsibilities into position descriptions.

PT PII Processing and Transparency

8 controls

Controls in the PT PII Processing and Transparency domain of NIST SP 800-53 Rev 5 LOW — 8 controls
Code	Title	Description
PT-1	Policy and Procedures	Develop, document, disseminate PII processing and transparency policy and procedures.
PT-2	Authority to Process PII	Determine and document the authority that permits processing of PII; restrict processing to that authority.
PT-3	PII Processing Purposes	Identify and document the purposes for processing PII. Describe purposes in notices, restrict processing to identified p...
PT-4	Consent	Implement tools or mechanisms for individuals to consent to the processing of their PII prior to its collection that fac...
PT-5	Privacy Notice	Provide notice to individuals about the processing of PII.
PT-6	System of Records Notice	For systems that process information about US citizens or lawful permanent residents that meets Privacy Act criteria, pu...
PT-7	Specific Categories of PII	Apply additional controls to special categories of PII (SSN, biometric, health). HIGH baseline applies in privacy scope.
PT-8	Computer Matching Requirements	Comply with Privacy Act computer matching requirements when systems engage in computer matching.

RA Risk Assessment

5 controls

Controls in the RA Risk Assessment domain of NIST SP 800-53 Rev 5 LOW — 5 controls
Code	Title	Description
RA-1	Policy and Procedures	Develop and review risk assessment policy at least annually.
RA-2	Security Categorization	Categorize system per FIPS 199; document; review and update annually.
RA-3	Risk Assessment	Conduct risk assessment annually (FedRAMP); document; review and update.
RA-5	Vulnerability Monitoring and Scanning	Scan for vulnerabilities monthly (FedRAMP); OS/network weekly, web app monthly, database monthly; remediate within FedRA...
RA-7	Identifies and Analyzes Risk	The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis f...

SA System and Services Acquisition

8 controls

Controls in the SA System and Services Acquisition domain of NIST SP 800-53 Rev 5 LOW — 8 controls
Code	Title	Description
SA-1	Logging and Monitoring	Collect, retain and monitor logs from IT and OT assets to detect anomalous activity.
SA-2	Common Operating Picture	Establish a common operating picture across IT, OT and physical security functions for cyber events.
SA-22	Unsupported System Components	Replace unsupported components or provide justification with risk acceptance and alternative protections.
SA-3	System Development Life Cycle	Manage system using SDLC incorporating security/privacy considerations.
SA-4	Acquisition Process	Include security/privacy requirements in contracts; FedRAMP-defined assurance requirements.
SA-5	System Documentation	Obtain administrator and user documentation; protect; distribute to FedRAMP-defined personnel.
SA-8	Security and Privacy Engineering Principles	Apply FedRAMP-defined systems security and privacy engineering principles in development.
SA-9	External System Services	Require providers of external system services to comply with security/privacy requirements; document oversight roles.

SC System and Communications Protection

10 controls

Controls in the SC System and Communications Protection domain of NIST SP 800-53 Rev 5 LOW — 10 controls
Code	Title	Description
SC-1	Policy and Procedures	Develop and review system/comms protection policy at least annually.
SC-12	Cryptographic Key Establishment and Management	Establish and manage cryptographic keys per FedRAMP requirements (FIPS-validated, key escrow/recovery as appropriate).
SC-13	Cryptographic Protection	Implement FedRAMP-defined cryptographic uses and approved cryptography (FIPS 140 validated).
SC-15	Collaborative Computing Devices and Applications	Prohibit remote activation of collaborative computing devices (cameras, mics) without explicit user indication; provide...
SC-20	Secure Name/Address Resolution Service (Authoritative)	Provide artifacts for additional data origin authentication and integrity verification (DNSSEC) for child zones; FedRAMP...
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	Request and perform data origin authentication and data integrity verification on name/address resolution responses; DNS...
SC-22	Architecture and Provisioning for Name/Address Resolution Service	Ensure DNS systems are fault-tolerant and implement role separation.
SC-39	Process Isolation	Maintain separate execution domain for each executing system process.
SC-5	Denial-of-Service Protection	Protect against or limit effects of DoS attacks using FedRAMP-defined safeguards.
SC-7	Boundary Protection	Monitor/control communications at external boundary and key internal boundaries; implement subnetworks for publicly acce...

SI System and Information Integrity

6 controls

Controls in the SI System and Information Integrity domain of NIST SP 800-53 Rev 5 LOW — 6 controls
Code	Title	Description
SI-1	Policy and Procedures	Develop and review system/information integrity policy at least annually.
SI-12	Information Management and Retention	Manage and retain information consistent with applicable laws, regulations, policies, standards.
SI-2	Flaw Remediation	Identify, report, and correct system flaws; remediate within FedRAMP-defined timeframes (HIGH critical 15d, high 30d).
SI-3	Malicious Code Protection	Implement signature-based and non-signature-based malicious code protection; configure to scan endpoints and entry/exit...
SI-4	System Monitoring	Monitor system to detect attacks; identify unauthorized use; deploy monitoring devices at boundaries and key internal po...
SI-5	Security Alerts, Advisories, and Directives	Receive alerts/advisories/directives from FedRAMP-defined external organizations (US-CERT, CISA); generate internal; dis...

SR Supply Chain Risk Management

8 controls

Controls in the SR Supply Chain Risk Management domain of NIST SP 800-53 Rev 5 LOW — 8 controls
Code	Title	Description
SR-1	Policy and Procedures (SR-1)	Develop, document, disseminate, and review supply chain risk management policy and procedures at defined frequency.
SR-10	Inspection of Systems or Components (SR-10)	Inspect systems or components at defined frequency or upon indications of tampering to detect compromise.
SR-11	Component Authenticity (SR-11)	Implement anti-counterfeit policy and procedures to detect and prevent counterfeit components.
SR-12	Component Disposal (SR-12)	Dispose of data, documentation, tools, or system components using defined techniques and methods.
SR-2	Supply Chain Risk Management Plan (SR-2)	Develop a C-SCRM plan for managing supply chain risks for systems, components, and services; review and update at define...
SR-3	Supply Chain Controls and Processes (SR-3)	Establish processes to identify, protect, detect, respond, and recover across the supply chain lifecycle.
SR-5	Acquisition Strategies, Tools, and Methods (SR-5)	Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply...
SR-8	Notification Agreements (SR-8)	Establish agreements with suppliers for notification of supply chain compromises and relevant changes.

Your Compliance Coverage

If you comply with NIST SP 800-53 Rev 5 LOW, you already cover:

AWS Well-Architected Security Pillar

5 controls mapped

Compare →

Azure Security Benchmark

5 controls mapped

Compare →

NIST SP 800-190

4 controls mapped

Compare →

+ 241 more: NIST AI Risk Management Framework (AI RMF 1.0) (2%), ISO 27017 (2%)

See all 244 mapped frameworks ↓

Maps to 244 other frameworks

173 total controls

AWS Well-Architected Security Pillar

5 source controls mapped|4 target controls covered

Azure Security Benchmark

5 source controls mapped|4 target controls covered

NIST SP 800-190

4 source controls mapped|4 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

4 source controls mapped|6 target controls covered

ISO 27017

4 source controls mapped|4 target controls covered

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

4 source controls mapped|5 target controls covered

ISO 27018

4 source controls mapped|4 target controls covered

ISO/IEC 42001:2023

3 source controls mapped|3 target controls covered

ISO/IEC 23894:2023

3 source controls mapped|7 target controls covered

Bahrain PDPL

3 source controls mapped|2 target controls covered

API 1164

3 source controls mapped|3 target controls covered

ASIS SPC.1-2009 - Organizational Resilience Standard

3 source controls mapped|2 target controls covered

ISO/IEC 29147:2018

3 source controls mapped|4 target controls covered

BSI IT-Grundschutz

3 source controls mapped|3 target controls covered

NIST Cybersecurity Framework 2.0

3 source controls mapped|5 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|2 target controls covered

ISO/IEC 27031:2011

3 source controls mapped|2 target controls covered

IEC 62443

3 source controls mapped|3 target controls covered

ISO/IEC 29134:2023

3 source controls mapped|5 target controls covered

ISO/IEC 27014:2020

3 source controls mapped|4 target controls covered

Barbados Data Protection Act 2019

3 source controls mapped|2 target controls covered

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

3 source controls mapped|6 target controls covered

Annex 11 to EU GMP - Computerised Systems

3 source controls mapped|4 target controls covered

NIST SP 800-146

3 source controls mapped|2 target controls covered

NIST SP 800-145

3 source controls mapped|3 target controls covered

NIST SP 800-144

3 source controls mapped|2 target controls covered

MTCS (Singapore)

3 source controls mapped|3 target controls covered

ISMAP (Japan)

3 source controls mapped|2 target controls covered

Florida Digital Bill of Rights (FDBR)

3 source controls mapped|3 target controls covered

GLI-33 - Gaming Laboratories International Event Wagering Systems

3 source controls mapped|3 target controls covered

ISO 27018:2019

2 source controls mapped|2 target controls covered

ISO 27701:2019

2 source controls mapped|2 target controls covered

ISO 31000:2018

2 source controls mapped|2 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

2 source controls mapped|5 target controls covered

ISO 20400:2017 - Sustainable Procurement

2 source controls mapped|3 target controls covered

Virginia CDPA

2 source controls mapped|2 target controls covered

Uruguay DPL

2 source controls mapped|1 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

2 source controls mapped|1 target controls covered

UK GDPR (UK General Data Protection Regulation)

2 source controls mapped|2 target controls covered

UK AI Regulation Framework

2 source controls mapped|2 target controls covered

TSA Pipeline Cybersecurity Directives

2 source controls mapped|2 target controls covered

Texas Data Privacy Act

2 source controls mapped|1 target controls covered

Taiwan PDPA

2 source controls mapped|2 target controls covered

French Sapin II Law (Law No. 2016-1691)

2 source controls mapped|3 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

2 source controls mapped|2 target controls covered

AS9100D - Aerospace Quality Management System

2 source controls mapped|3 target controls covered

ISO/IEC 27003:2017

2 source controls mapped|3 target controls covered

NIST SP 1800-32

2 source controls mapped|3 target controls covered

FBI CJIS Security Policy

2 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5

2 source controls mapped|4 target controls covered

APPI

2 source controls mapped|1 target controls covered

AICPA Privacy Management Framework (PMF)

2 source controls mapped|3 target controls covered

ISO 27019

2 source controls mapped|3 target controls covered

ISO 41001:2018 - Facility Management Systems

2 source controls mapped|4 target controls covered

ISO 39001:2012 - Road Traffic Safety Management

2 source controls mapped|4 target controls covered

ISO 22313:2020 - Guidance on Business Continuity Management Systems

2 source controls mapped|4 target controls covered

APRA CPS 230 Operational Risk Management

2 source controls mapped|1 target controls covered

AML/CTF Act 2006 (Australia)

2 source controls mapped|1 target controls covered

ISO 45001

2 source controls mapped|2 target controls covered

ISO 22000

2 source controls mapped|2 target controls covered

GDPR

2 source controls mapped|1 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

2 source controls mapped|2 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

2 source controls mapped|2 target controls covered

SSAE 18 - Attestation Standards (SOC Reporting)

2 source controls mapped|5 target controls covered

NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security

2 source controls mapped|3 target controls covered

New Zealand Information Security Manual (NZISM)

2 source controls mapped|2 target controls covered

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

2 source controls mapped|4 target controls covered

IAIS Insurance Core Principles (ICPs)

2 source controls mapped|2 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

2 source controls mapped|3 target controls covered

ISO/IEC 27006:2024

2 source controls mapped|4 target controls covered

ISO/IEC 27400:2022

2 source controls mapped|4 target controls covered

ISO 28001:2007 Supply Chain Security Management

2 source controls mapped|2 target controls covered

Regulation on the European Health Data Space (EHDS)

2 source controls mapped|2 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

2 source controls mapped|3 target controls covered

NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems

2 source controls mapped|2 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

2 source controls mapped|4 target controls covered

Nebraska Data Privacy Act

2 source controls mapped|4 target controls covered

South Korea PIPA

2 source controls mapped|2 target controls covered

ISO 27017:2015

1 source controls mapped|1 target controls covered

ISO 22301:2019

1 source controls mapped|2 target controls covered

ISO 26000:2010

1 source controls mapped|3 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

1 source controls mapped|2 target controls covered

UNESCO Recommendation on the Ethics of AI

1 source controls mapped|1 target controls covered

UK FCA/PRA Operational Resilience Framework

1 source controls mapped|1 target controls covered

SEC Climate Disclosure Rule

1 source controls mapped|1 target controls covered

ISO 27799

1 source controls mapped|1 target controls covered

EASA Part-IS - Information Security in Aviation

1 source controls mapped|2 target controls covered

ISO 31000

1 source controls mapped|3 target controls covered

ISO 27005

1 source controls mapped|3 target controls covered

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

1 source controls mapped|1 target controls covered

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

1 source controls mapped|1 target controls covered

Authorised Economic Operator (AEO) Programmes - Global Standards

1 source controls mapped|1 target controls covered

ISO 13485

1 source controls mapped|1 target controls covered

APRA SPS 220 Risk Management (Superannuation)

1 source controls mapped|1 target controls covered

Oman National Cybersecurity Framework

1 source controls mapped|1 target controls covered

NIS2 Directive

1 source controls mapped|1 target controls covered

NERC CIP

1 source controls mapped|1 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

1 source controls mapped|1 target controls covered

FedRAMP High

1 source controls mapped|1 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

1 source controls mapped|1 target controls covered

FedRAMP Moderate

1 source controls mapped|1 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

1 source controls mapped|2 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

1 source controls mapped|1 target controls covered

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

1 source controls mapped|1 target controls covered

ISO/IEC 30111:2019

1 source controls mapped|3 target controls covered

WCAG 2.2

1 source controls mapped|1 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

1 source controls mapped|1 target controls covered

UK Gambling Commission - Cyber Resilience Requirements

1 source controls mapped|2 target controls covered

Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter

1 source controls mapped|1 target controls covered

UK Bribery Act 2010

1 source controls mapped|1 target controls covered

Trinidad and Tobago Data Protection Act 2011

1 source controls mapped|3 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|2 target controls covered

SLSA

1 source controls mapped|1 target controls covered

SIG (Shared Assessments)

1 source controls mapped|1 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

1 source controls mapped|1 target controls covered

PSD2 SCA

1 source controls mapped|1 target controls covered

PTES

1 source controls mapped|1 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

1 source controls mapped|3 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

1 source controls mapped|1 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|2 target controls covered

OWASP Top 10:2025

1 source controls mapped|1 target controls covered

OWASP SAMM

1 source controls mapped|1 target controls covered

OWASP MASVS

1 source controls mapped|1 target controls covered

OSFI B-13

1 source controls mapped|1 target controls covered

OpenSSF Scorecard

1 source controls mapped|1 target controls covered

Open Banking Security

1 source controls mapped|1 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

1 source controls mapped|1 target controls covered

O-RAN WG11 Security Specification

1 source controls mapped|3 target controls covered

NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity

1 source controls mapped|2 target controls covered

Notifiable Data Breaches Scheme (Australia)

1 source controls mapped|1 target controls covered

NIST SP 800-92

1 source controls mapped|1 target controls covered

NIST SP 800-88

1 source controls mapped|1 target controls covered

NIST SP 800-63-4

1 source controls mapped|1 target controls covered

NIST SP 800-61

1 source controls mapped|1 target controls covered

NIST SP 800-137

1 source controls mapped|1 target controls covered

NIST SP 800-123

1 source controls mapped|1 target controls covered

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)

1 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|1 target controls covered

NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)

1 source controls mapped|2 target controls covered

Monetary Authority of Singapore Technology Risk Management Guidelines

1 source controls mapped|1 target controls covered

MITRE D3FEND

1 source controls mapped|1 target controls covered

MITRE ATT&CK

1 source controls mapped|1 target controls covered

ITU Radio Regulations and Space Security Standards

1 source controls mapped|1 target controls covered

ITAR - International Traffic in Arms Regulations

1 source controls mapped|1 target controls covered

Israel Protection of Privacy Law (5741-1981)

1 source controls mapped|2 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

1 source controls mapped|1 target controls covered

ICH Q10 - Pharmaceutical Quality System

1 source controls mapped|2 target controls covered

ICH E6(R3) - Good Clinical Practice

1 source controls mapped|1 target controls covered

IATF 16949:2016 - Quality Management System for Automotive Production

1 source controls mapped|2 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

1 source controls mapped|1 target controls covered

HKMA SPM

1 source controls mapped|1 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

1 source controls mapped|1 target controls covered

GLBA

1 source controls mapped|1 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

1 source controls mapped|2 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

1 source controls mapped|1 target controls covered

FedRAMP Rev 5

1 source controls mapped|2 target controls covered

FDA Quality Management System Regulation (QMSR)

1 source controls mapped|1 target controls covered

FATF Recommendation 16 - Virtual Asset Travel Rule

1 source controls mapped|1 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|3 target controls covered

ISO 19011

1 source controls mapped|2 target controls covered

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

1 source controls mapped|5 target controls covered

21 CFR Part 58 - Good Laboratory Practice (GLP)

1 source controls mapped|2 target controls covered

BRCGS Global Standard for Food Safety Issue 9

1 source controls mapped|3 target controls covered

IEC 62351 - Power Systems Communication Security

1 source controls mapped|1 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

1 source controls mapped|3 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

1 source controls mapped|1 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

1 source controls mapped|2 target controls covered

ISO/IEC 27007:2020

1 source controls mapped|1 target controls covered

ISO/IEC 29100:2024

1 source controls mapped|3 target controls covered

Azerbaijan Law on Personal Data (2010)

1 source controls mapped|1 target controls covered

ISO/IEC 27004:2016

1 source controls mapped|3 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

1 source controls mapped|2 target controls covered

ISO/IEC 27050 - Electronic Discovery (Parts 1-4)

1 source controls mapped|1 target controls covered

ISO/IEC 38500:2024 - Governance of IT

1 source controls mapped|3 target controls covered

ISO 37000:2021 - Governance of Organizations

1 source controls mapped|3 target controls covered

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

1 source controls mapped|3 target controls covered

ISO 8000 - Data Quality

1 source controls mapped|2 target controls covered

SOC 2

1 source controls mapped|2 target controls covered

PCI PIN Security

1 source controls mapped|1 target controls covered

ISO 56002

1 source controls mapped|4 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

1 source controls mapped|3 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|3 target controls covered

ISO/SAE 21434

1 source controls mapped|1 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

1 source controls mapped|3 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

1 source controls mapped|1 target controls covered

21 CFR Part 211 - Current Good Manufacturing Practice

1 source controls mapped|1 target controls covered

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

1 source controls mapped|3 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

1 source controls mapped|3 target controls covered

ISO/IEC 25012:2008 - Data Quality Model

1 source controls mapped|2 target controls covered

ISO 22320:2018

1 source controls mapped|3 target controls covered

ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

1 source controls mapped|3 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

1 source controls mapped|2 target controls covered

FFIEC IT Examination Handbook

1 source controls mapped|1 target controls covered

ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)

1 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

1 source controls mapped|1 target controls covered

APRA CPS 234

1 source controls mapped|1 target controls covered

ISO 27043

1 source controls mapped|1 target controls covered

COBIT 2019

1 source controls mapped|1 target controls covered

PCI P2PE

1 source controls mapped|1 target controls covered

PCI SSF

1 source controls mapped|1 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

1 source controls mapped|1 target controls covered

Vietnam PDPD

1 source controls mapped|1 target controls covered

Turkey KVKK

1 source controls mapped|1 target controls covered

TCFD Recommendations

1 source controls mapped|1 target controls covered

SASB Standards

1 source controls mapped|1 target controls covered

Qatar DPL

1 source controls mapped|1 target controls covered

Privacy Act 2020

1 source controls mapped|1 target controls covered

Privacy Act 1988 (Australia)

1 source controls mapped|1 target controls covered

POPIA

1 source controls mapped|1 target controls covered

Personal Data Act (personopplysningsloven)

1 source controls mapped|1 target controls covered

PDPA Thailand

1 source controls mapped|1 target controls covered

PDPA Singapore

1 source controls mapped|1 target controls covered

Oregon Consumer Privacy Act

1 source controls mapped|1 target controls covered

OECD AI Principles

1 source controls mapped|1 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

1 source controls mapped|1 target controls covered

NIST SP 800-122

1 source controls mapped|1 target controls covered

NIST Privacy Framework

1 source controls mapped|1 target controls covered

Nigeria Data Protection Regulation (NDPR)

1 source controls mapped|1 target controls covered

New Jersey Data Privacy Act

1 source controls mapped|1 target controls covered

New Hampshire Data Privacy Act

1 source controls mapped|1 target controls covered

Montana Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

Minnesota Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

Mexico LFPDPPP

1 source controls mapped|1 target controls covered

Mauritius DPA

1 source controls mapped|1 target controls covered

Maryland Online Data Privacy Act of 2024

1 source controls mapped|1 target controls covered

Malaysia PDPA 2010

1 source controls mapped|1 target controls covered

Liechtenstein DPA

1 source controls mapped|1 target controls covered

LGPD

1 source controls mapped|1 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

1 source controls mapped|1 target controls covered

Law No. 172-13 on the Protection of Personal Data

1 source controls mapped|1 target controls covered

Kentucky Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Japan AI Guidelines

1 source controls mapped|1 target controls covered

Jamaica Data Protection Act 2020

1 source controls mapped|1 target controls covered

ISSB Standards

1 source controls mapped|1 target controls covered

Iowa Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Indonesia PDP Law

1 source controls mapped|1 target controls covered

Indiana Consumer Data Protection Act

1 source controls mapped|1 target controls covered

India DPDP Act

1 source controls mapped|1 target controls covered

IEEE 7000

1 source controls mapped|1 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

1 source controls mapped|1 target controls covered

GRI Standards

1 source controls mapped|1 target controls covered

Global Cross-Border Privacy Rules (Global CBPR) Forum

1 source controls mapped|1 target controls covered

Family Educational Rights and Privacy Act (FERPA)

1 source controls mapped|1 target controls covered

ISO 14001

1 source controls mapped|1 target controls covered

Compare NIST SP 800-53 Rev 5 LOW with AWS Well-Architected Security Pillar

Frequently Asked Questions

What is NIST SP 800-53 Rev 5 LOW?

NIST SP 800-53 Rev 5 LOW is a compliance framework from United States with 20 domains and 173 controls. NIST SP 800-53 Rev 5 LOW baseline. Federal Information Security Management Act controls for systems at LOW impact level. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-53 Rev 5 LOW have?

NIST SP 800-53 Rev 5 LOW has 173 controls organised across 20 domains. The largest domains are PM Program Management (32 controls), AC Access Control (11 controls), AU Audit and Accountability (10 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-53 Rev 5 LOW map to?

NIST SP 800-53 Rev 5 LOW maps to 244 other compliance frameworks. The top mapping partners are AWS Well-Architected Security Pillar (3% coverage), Azure Security Benchmark (3% coverage), NIST SP 800-190 (2% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-53 Rev 5 LOW compliance?

Start your NIST SP 800-53 Rev 5 LOW compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-53 Rev 5 LOW requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 173 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required